Checkpoint : Troubleshooting Checkpoint ClusterXL

Troubleshooting Checkpoint ClusterXL

I recently came across an issue where SmartView Monitor showed an error for ClusterXL on a freshly rebuilt Checkpoint IP565 firewall. Both Synchronization and Filter were stuck in an initilizing state, we tried the following troubleshooting steps initially to no avail:

cphastop followed by cphastart

cpstop followed by cpstart

reboot of the affected firewall

On digging deeper we noticed that one of the firewall devices was configured to use multicast and one for broadcast cluster communications, this was identified using the following command ‘cphaprob -a if‘ which presents the following output:

Both firewalls must be configured to use the same method of communication, which can be changed using the following command ‘cphaconf set_ccp multicast‘ or ‘cphaconf set_ccp broadcast‘. Providing your switching infrastructure supports multicast you should use this mode due to the performance overhead of broadcast communication. This command failed to change the method of communication and left us with no other option than to perform the following steps:

Set Checkpoint Packages as in-active, then delete them ensuring that the Connectra package is removed first.

Re-install the Checkpoint R65 IPSO Wrapper

Re-install HFA 70

Re-establish SIC via CPConfig and SmartDashboard

Unassign and re-assign license via SmartUpdate

Push policy from the SmartDashboard

After performing thse steps the cluster CCP was back to multicast (bizare really…). We had to perform a reboot of the second device once this was completed, at which point both nodes of the cluster reported no ClusterXL errors, ‘cphaprob list‘ showed the following output: